Data Privacy / Roles and Responsibilities

Roles and responsibilities

1. Roles of companies in the processing of personal data

In the Cloud industry, companies can take different roles. It is essential for organizations involved in the processing of personal data to be able to determine whether they are acting as a data controller or as a data processor in respect of such processing. This is particularly important in situations such as a data breach where it will be necessary to determine which organization has what responsibility. 

Sometimes , the same company could act as a data processor and as a data controller. 

The data controller determines the purposes and the means of the processing of personal data . So, if your company decides ‘why’ and ‘how’, you are the controller of the personal data processing activities.

The data processor is a company processing the personal data on behalf of the data controller pursuant to the performance of a particular service or business offering.

However, the fact that one organization provides a service to another organization does not necessarily mean that it is acting as a data processor. It could be a data controller in its own right, depending on the degree of control it exercises over the processing operation.

The services provided by CloudBlue will typically fall under one or more of these categories:

  • Software as a Service (“SaaS”): CloudBlue provides software applications over the Internet and represents “Connect” and “Commerce as a Service” (or “Marketplace as a Service”) offerings.
  • Platform as a Service (“PaaS”): CloudBlue provides and/or manages infrastructure required to run the “CloudBlue software”

In accordance with the regulatory guidance and industry practices, CloudBlue, as a cloud service provider, will be acting as a data processor of its customers.

2. Responsibilities arising out of the processing of personal data

Under the applicable data protection laws, the controller is responsible for the processing of personal data, where the processor acts on controller’s instructions. However, in some jurisdictions such as in the European Union, both controllers and processors have their own separate legal obligations with regards to the handling and protection of personal data, for example: security of the data and data transfers.

In such regard, each company bears its own legal responsibility for its compliance with its own legal obligations. It is also important to understand that company’s liability towards the regulators or the responsible administrative authority for breaches by a company of the applicable laws, cannot be limited or excluded by law. 

However, taking into consideration the nature of the service provided by CloudBlue, multiple parties will play a role in in the security and protection of the personal data stored in and processed through CloudBlue’s platforms and cloud services. 

  • CloudBlue’s customer and such customer’s multiple business partners such as vendors, distributors and resellers all play a role. The acts and omissions of any party, other than CloudBlue authorized sub-processors, however, are fully outside of the control or the visibility of the Cloud services provider. 
  • Customer as the controller of the data maintains ownership of the personal data it uploads into CloudBlue products. Therefore, the customer selects which personal data can be processed, stored, and hosted through CloudBlue products. CloudBlue does not access or use the customer’s personal data for any purpose other then what is agreed with the customer in advance, except in each case as necessary to comply with the applicable laws or a binding order of a governmental body. 
  • The customer controls its data. As long as it is technically feasible, the customer determines where its data will be stored, including the type of storage and geographic region of that storage in accordance with the options offered by CloudBlue. CloudBlue offers industry standard security features to protect and encrypt customer’s data in transit and at rest which are appropriate to the risks presented by the processing of the data, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing of the data, the nature of the data as well as the risk and severity for the rights and freedoms of natural persons. The Customer manages its data, the access to such data and the access to CloudBlue services and resources through identity and access policy based on users, groups, permissions, and credentials that it controls.
  • When evaluating the security of a cloud solution, it is important to understand and distinguish between the security of the cloud, and security in the cloud. Security of the cloud encompasses the security measures that CloudBlue implements and operates. CloudBlue is responsible for the security of the cloud. Security in the cloud, however, encompasses the security measures that the customer, as a data controller, implements and operates related to the CloudBlue products the customer uses. The customer is responsible for the security in the cloud and is responsible to receive awareness education and training with regular updates as relevant for the particular business role.

Security and data protection compliance is a shared responsibility between CloudBlue and each customer. The shared responsibility model is a useful approach to illustrate the different responsibilities of CloudBlue (as a data processor or sub-processor) and customers (as either data controllers or data processors) under the applicable data protection laws. Under the shared responsibility model, CloudBlue is responsible for the security of the cloud, while the customer is responsible for security in the cloud. Shared model configuration depends on the CloudBlue services that customers elect to use and how those services are integrated into customers’ IT environments. Depending on this configuration, the responsibility of the provider (processor or sub-processor) or the customer (controller), may vary.

The services provided by CloudBlue will typically fall under one or more of these categories, as explained further under section “What is a data processor”:

  • Software as a Service (“SaaS”)
  • Platform as a Service (“PaaS”)

The following diagram reflects the distribution of responsibilities in the case of a SaaS configuration:

In case of using a PaaS or IaaS, the data controller could have additional responsibilities, which is represented in the following diagram:

At CloudBlue, our highest priority is securing our customers’ data, and we implement rigorous contractual, technical and organizational measures to protect the confidentiality, integrity, and availability of the information regardless of the region where the customer is located and the origin of the data. More information can be found here.

Considering the above, in order to ensure compliance with its own obligations as a processor, CloudBlue has implemented appropriate measures to cover the risk associated with the processing of personal data as part of the provision of the cloud services to its customers. Further to that, CloudBlue’s data protection program is a global one, applicable to all its operations WW and built on the basis of the requirements of the GDPR. All security and data protection standards and practices required to be respected in the European Union are also implemented and respected by CloudBlue in non-European Union locations.

CloudBlue offers to its customers a GDPR-compliant and industry standard Data Processing Agreement which provides the necessary commitments and assurance regarding the processing and handling of customer’s personal data by CloudBlue through the provision of CloudBlue business offerings.

CloudBlue may need to use third-party sub-contractors or other affiliates for the provision of the services. However, when using subcontractors, CloudBlue (i) validates the standards followed by the relevant sub-contractors before engaging it for the services, (ii) executes necessary agreements with such sub-contractors, and (iii) requests from its sub-contractors to comply with all applicable laws and requirements for the processing of personal data.